website security problems

stephenw10

This is not a RAM issue.

It's almost certainly a browser issue. That should be easy to check though by just using a different browser.
It could be a combination of things and that browser plugin is just revealing it.

Like something is resolving those to a different page, maybe a warning or error, and your browser is showing that because it's http.

Steve

johnpoz

What is funny is his example is showing https://amazon.com in the url address bar.

If you go to amazon.com via http or https it should be sending his browser a redirection.

Resolving amazon.com (amazon.com)... 205.251.242.103, 176.32.103.205, 54.239.28.85
Connecting to amazon.com (amazon.com)|205.251.242.103|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://amazon.com/ [following]
--2021-11-11 09:29:03--  https://amazon.com/
Connecting to amazon.com (amazon.com)|205.251.242.103|:443... connected.

--2021-11-11 09:29:39--  https://amazon.com/
Resolving amazon.com (amazon.com)... 205.251.242.103, 176.32.103.205, 54.239.28.85
Connecting to amazon.com (amazon.com)|205.251.242.103|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.amazon.com/ [following]
--2021-11-11 09:29:39--  https://www.amazon.com/
Resolving www.amazon.com (www.amazon.com)... 23.11.225.174
Connecting to www.amazon.com (www.amazon.com)|23.11.225.174|:443... connected.

Notice the "301 Moved Permanently" and then the new www. url and following to that..

He could have something blocking something - and his browser is showing this error as a red herring because it doesn't know any better?

I would love to see a wget even - take the browser out of the equation.

nimrod

@stephenw10 said in website security problems:

This is not a RAM issue.

It's almost certainly a browser issue. That should be easy to check though by just using a different browser.
It could be a combination of things and that browser plugin is just revealing it.

Like something is resolving those to a different page, maybe a warning or error, and your browser is showing that because it's http.

Steve

@stephenw10 not sure if you saw, but issue is already resolved. Check the post from @johnpoz. Issue is exactly what i described in my first post. Also, i never said it was a RAM issue. @jc1976 was wondering where did the certain amount of total system RAM go, so i explained him that system RAM is shared with onboard graphics.

johnpoz

@nimrod I am not sure I would consider it "resolved" until we actually hear from the user that he has it working now.

stephenw10

@nimrod said in website security problems:

@stephenw10 not sure if you saw, but issue is already resolved. Check the post from @johnpoz. Issue is exactly what i described in my first post. Also, i never said it was a RAM issue.

I realise. But @jc1976 suspected it might be and I was ruling that out.

Yeah, is that browser setting blocking the http redirect? Seems like that should happen over https but I've never dug too deeply into that.

Steve

nimrod

@johnpoz

Im constantly getting notified that posts have been edited, i thought i saw he said issue was resolved. I scrolled back now, and i dont see it. Im sorry, my bad.

jc1976

@nimrod

Regarding trying this all out with a different browser and different computers, that was done.

i attempted the same thing with edge, and my GF is using her mac with chrome, she's having the same issues as well. She has two mac laptops (one for work, one personal), both have the same issue.

So, i'll make the change with firefox but as i said before, this wasn't an issue a few weeks ago and up until last night absolutely nothing has changed. last night i uninstalled, rebooted, reinstalled (as default) firefox and the issue is still there.

johnpoz

@jc1976 said in website security problems:

and my GF is using her mac with chrome, she's having the same issues as well.

And again pfsense has ZERO systems to make such a notification to the browser - that error is a BROWSER thing.. Now its possible your filtering the 301 redirection, but I really don't see anything in pfsense that would do that.. Maybe some sort of IPS?

How about you do a simple fetch or wget.. Now www.amazon.com is going to resolve to something different than amazon.com as you can see in my outputs from wget..

If your browser is not seeing the redirection and tries to load https://amazon.com via 443 then yeah the cert could fail and your BROWSER would warn you about it..

edit:
But when you look at my test of https://amazon.com I get the 301 redirect over 443, and the cert is trusted, etc.. Maybe you have something wrong with your systems Trusted Certs?

Here for example using debug on the wget I can see the ssl info, etc. and via that connection I get 301 that it moved to https://www.amazon.com

--2021-11-11 15:05:53--  https://amazon.com/
Resolving amazon.com (amazon.com)... 205.251.242.103, 176.32.103.205, 54.239.28.85
Caching amazon.com => 205.251.242.103 176.32.103.205 54.239.28.85
Connecting to amazon.com (amazon.com)|205.251.242.103|:443... connected.
Created socket 3.
Releasing 0x00005653b3975a30 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x00005653b3975b50
certificate:
  subject: CN=*.peg.a2z.com
  issuer:  CN=DigiCert Global CA G2,O=DigiCert Inc,C=US
X509 certificate successfully verified and matches host amazon.com

---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.20.3 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: amazon.com
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response... 
---response begin---
HTTP/1.1 301 Moved Permanently
Server: Server
Date: Thu, 11 Nov 2021 21:05:53 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
Location: https://www.amazon.com/
Permissions-Policy: interest-cohort=()

stephenw10

Mmm, that error you're seeing in Firefox is a specific firefox error. So what error do you see in other browsers? There are almost certainly some clues there.

Steve

johnpoz

@stephenw10 I have tried to duplicate this with firefox turning on https-only, etc. And going to http or https://amazon.com or pfsense.com etc.. all just work fine - with the 301 redirection to www.

Maybe a proxy or ips thing? Proxy maybe doing some sort of https mitm?

bPsdTZpW

@jc1976 I suspect DNS is serving incorrect addresses, or possibly some security software is acting as a MITM and is not handling amazon.com's redirect correctly. What's the output if you nslookup amazon.com , then nslookup www.amazon.com ? Is the former IP in a range owned by Amazon (lookup at https://whois.arin.net )?

FWIW, I do not see this problem when enabling HTTPS-only mode in FF (v94.0).

stephenw10

Mmm, I could certainly believe DNS shenanigans.

Try just resolving locally, stop sending your queries to Cloudflare.

jc1976

@stephenw10

Hey fellas! really, thank you SO much for your input in all this!

the issue also came up on edge and chrome. i only have firefox and edge on my home workstation. I tried it all on my laptop as well and had the same issues.

regarding resolving locally instead of cloudflare, i'm a bit uncertain what you mean by that. DNS settings are:

127.0.0.1
1.1.1.1
1.0.0.1

I don't use dnsmasq (forwarder), just unbound.

disabling https: only mode in all windows (under firefox) seems to have things behaving more normally, but again, i don't have ANY services enabled (suricata, pfblocker, squid/clamav). so who knows what will happen if i were to re-enable those.

I also don't have any rules setup, so i don't know what is causing my trading apps to hang upon startup, at least not at the moment because again, anything that would block them has been shut down..

i've even shut down my windows defender firewall to make sure that couldn't be causing the hang-up.. it's all very weird.

Johnpoz mentioned filtering 301 redirection.. i'm gonna do my research and find out how to figure that out because this whole thing feels like a filtering issue, i just don't know how to go about figuring that out (still learning).

i trying to explain to our consultant at work what goes on..
-i opened up firefox to DDG.
-searched for ad blocker test
-given a list of sites to test ad blocks.
one of which i used is "https://canyoublockit.com"

clicking on the link for https://canyoublockit.com yields nothing.. the site just doesn't open. clicking multiple times does nothing, it just sits there as if i didn't click on anything. sometimes it would give me the security error... but otherwise nothing happens.. then if i close out and come back, maybe the site would open.. it's random..

stephenw10

@jc1976 said in website security problems:

I have cloudflare setup for dns over tls

If you are doing that then you're sending DNS queries to them rather than resolving locally. Assuming it's setup correctly.

What error do you see in Edge? Or any other browser on any other client?

Steve

jc1976

@stephenw10 it's not even the browsers, it's my software.

i have an old crappy cisco rv042 from long ago as a backup.
right now, i have that plugged in because aside from websites not loading, even my trading apps are hanging.

i have EVERY service/package shut down so there shouldn't be anything blocking anything, other than the default ruleset that blocks all incoming connections.

I'm going to have to reinstall it all from scratch when i get a chance.
really aggravating.

stephenw10

Backup your config, restore to defaults, re-test. It's easy to restore the config if it doesn't help.

jc1976

@stephenw10 yup!

i'm happy to say that my GF left for the weekend so performing a ground-up reload of pfsense is what i'll be doing tonight after i get home from work.

I'll keep you posted.

Thanks again for all your input!

jc1976

@jc1976
looks like i'm back in business..

gparted the drive and reloaded pfsense from scratch. I've got the base config down, only modifications done are to dns over tls with cloudflare..

so far, so good.. very snappy and the throughput is where it's supposed to be..

did a backup.. not sure if i wanna bother adding packages yet.. it's nice to have it back up and running. just reeeaaaaally despise the ads and marketing from my devices..

nimrod

@jc1976

I dont see any reason why you should not install pfBlockerNG.

jc1976

@nimrod well, i started off with installing squid..

i ended up canning squid/clamav because even in it's basic installation it was causing issues.

for good measure i also rebuilt the tcpip stack and winsock in my windows 10 pro install..

i spent a while working through basic rule creation to make sure they wouldn't interfere with my apps, that way i know if i have any issues when i install suricata and pfblocker i'll have a better idea of who's causing problems, should any arise.

What are peoples experience with the feodo, c2c(?), sslblacklist options that are part of the suricata install?

do they cause a lotta false positives?